- Store the passwords after hashing. (Does anyone forget it nowadays?)
- Invalidate old hashes.
- Use scrypt or bcrypt algortithm for hashing password. Hashing time cost should be around 150ms.
- Use hmac after hashing to store password.
- Your salt should also be pseudorandom.
- Have time/count limit on login attempts.
- If using tokens, then don't store them in the server. (I am using jwt. If you really need to store, then don't forget hash + hmac).
- If using sensitive info in tokens, encrypt them.
- For jwt, only store invalidated tokens. When they expire, clean them.
- While designing the backend, ensure that you have a system in place which enables to change salt, algo and other stuffs during production without changing the user password. (Let's say you were using salt/alg A, later on you want to change it to B. You shouldn't require users to relogin or invalidate all passwords. Just compare using old hash and create the new hash if system has changed.)
- During password recovery, if using emails, try to have question also because emails aren't secure.
- If using SMS for recovery, then don't store OTPs. Store hash of OTPs to validate.
- Have time/count limit during recovery for any method.
- Use crypto rand not math rand.
Recommendation: While most of the guidelines above are concrete, I would like to add that your system should be such that if an attacker has db/source, he shouldn't be able to exploit it. It's possible that I have forgotten some points related to that.